> A colleague ran a copy of Nikto, a scripted vuln. finder, against my server, > and reported the following problems. The only one I've tested is the > directory traversal, and it seems to be an issue. Will the upstream vendor > patch these issues in Apache 2.0.46, or not? If not, does anyone know why > not? The upstream vendor backports security fixes into the existing version. Simply checking the version number is not a valid test for this simple fact. You can run 'rpm -q --changelog httpd' to see the fixes or you can look at the RH website and check their security releases there as well. https://www.redhat.com/security/updates/ To understand what they're doing with the backporting and why, read this http://www.redhat.com/advice/speaks_backport.html -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775